Conficker: Doomsday, or the World's Longest Rickroll?

When it comes to criminal hackers, establishing motive is usually a no-brainer: In a majority of cases, computer worms and viruses are little more than tools that bad guys use to make money. But every so often, a prolific and sophisticated worm or virus emerges that isn't so obviously connected to a financial scheme.

Almost every time this happens, people start to get nervous and spin wild theories about the threat, until the hype surrounding said threat starts to reach a fever pitch. This is exactly what's happening with the latest version of the worm dubbed "Conficker," a contagion that has infected millions of PCs worldwide.

Computers already infected by the worm are supposed to be automatically updated with some unknown software component on April Fools Day. That's more or less the sum of what computer experts know about the rhyme or reason behind this worm, but it hasn't stopped pundits and the press alike from issuing ominous warnings.

The Sun, in London, blares: "MILLIONS of computers around the world could go into meltdown on April 1 because of a deadly virus. The Windows worm called Conficker could give a hacker unrestricted access to every infected machine on the planet."

The take from Canada's The Globe and Mail begins ominously: "Deep within the World Wide Web, there is an undercurrent of potential chaos building - a malicious piece of code that has already prompted the French military to ground some fighter planes."

I think part of what's fueling the sense of dread and uncertainty around Conficker is that the latest version seeks to avoid barriers erected earlier this year in a bid to defeat the spread of the worm. For example, the last version of the worm -- Conficker.b -- told infected systems to visit one of 250 new Web sites each day to try to download an unknown secondary component.

That second-stage download never happened because the security community came together in an extraordinary and unprecedented effort to temporarily set aside the domains being sought by the Conficker botnet. The Conficker Cabal as it came to be called, also had to win the cooperation of several sovereign nations, since many of the domains were created in country-code domains controlled by those nations, such as China's dot-cn and Western Samoa's dot-ws.

In response, the worm's authors upped the ante by shipping Conficker.c, which increased the number of download domains to 50,000, and the number possible country-code domains in which those Web site names could be registered to 110.

You would hardly know it from the press reports so far, but the Conficker Cabal has not been sitting idly by in the face of this new threat. According to Cabal member Rick Wesson, chief executive at San Francisco based security firm Support Intelligence, the group has managed to engage all but one of those countries so far -- the Republic of the Congo.

Wesson said the group's efforts are ongoing but already bearing fruit.

Security software maker F-Secure has put together an interesting and entertaining FAQ on Conficker, which I highly recommend that anyone worried about this threat go read. F-Secure also has a free cleaning tool available at that link. Byron Acohido at USA Today has compiled a very readable timeline of notable events in Conficker's brief history.

What I find most fascinating about Conficker is that its real legacy may well turn out to be beneficent. To date, there really hasn't been a threat that has given countries on opposite ends of the globe a unifying, urgent reason to work against a single Internet menace. Yet, due to the work of the Conficker Cabal and affected parties, that is starting to change.

"We're literally relying on people in Latvia to protect computer networks in Brazil, and the other way around, too, so each country has some capability and some responsibility once they understand the role they can play here," Wesson said. "No matter what happens with Conficker, it's created something here....a beautiful opportunity to bring cyber security to the kitchen table."

I'd exercise caution, update my protections and keep in mind: The bigger the system, the harder the fall. Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure (whether exposing sensitive data, or exposing the company to malware, etc.). Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and malicious harm are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

Q: Now I'm worried. How do I know if I'm infected?
A: Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

It is a never-ending battle. I find it interesting that security holes and threats are not usually a big problem until AFTER the media reports on them. That triggers a swell in hacker interest and a scramble by the application vendors to plug the hole. So, sometimes, no publicity is best.

It is not a never ending battle. Or at least not the one you think. All you have to do is get off Windows. The only battle of interest is convincing you to do it. The day the world leaves Windows - it's going to be a very quiet day.

Actually, if everyone switched to Mac, so would the hackers. The only reason PC's get hit more often, is because the majority of the population uses them. I'm not saying a switch to Mac wouldn't work, just that if everyone did it, it wouldn't.

I like the Sun article. It scares people. And that's good. They should be scared. Into action. Instead of laming around as lethargic as they normally are. Into action so they get away from Windows. This has gone on for almost ten years now and it's enough. Unix doesn't get hit. Period. And it never will. Windows will never be fixed. And both the GAO, Gartner, and about every conscionable security expert in the world have been trying to tell people so for the longest time. Perhaps the Sun article will actually get a few people to react. That's a Good Thing™.

@0commonsense:
Your street corner logic doesn't work in the realm of computer science. You know the old saying about keep your mouth closed and people can suspect you're a fool but when you open it... ? Try that.

@stukushner:
Not true. That reverts to security through obscurity and that never works. The worms and trojans are one thing; the media hysteria is another; both are bad. But without such a dumb system connected to the Internet you'd have very little of either.